While working on NXP-XXXXX we had needs to leverage ClientLoginModule to do security checks.
We do have APIs to create a CoreSession for a specific user which don't check existence of user in UserManager, we also have ClientLoginFeature which provides LoginModule to login any users within calls to various Framework#login methods. Thus CoreInstance leverages this login context to create CoreSession.
But this present limitations:
- the latter must not be used with org.nuxeo.ecm.platform.web.common bundle which deploys the full login engine, and we have tests having this configuration. In such cases we're not confident in what's deployed in test runtime
- we have APIs to bypass the LoginContext while we shouldn't, the login context should be linked to CoreSession creation like it is during nuxeo runtime. Furthermore some 'test only' APIs are used in sources
- in sources or tests, log in framework and then create a session costs several lines while this should be something easy like CoreInstance#doPrivileged
- almost all of our tests are done by using an Administrator
In order to test NXP-XXXXX we need to log in the framework in nuxeo-core-test module.
An interesting solution was introduced during BAF development (
We need to implement a DummyLoginFeature which deploys a simple LoginModule to easily log in framework and create session during tests.
This feature should be available under nuxeo-core-api and easily overridable by higher modules where login leverage UserManager or authentication filter.